Re: Loopback Processing
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 09/23/04
- Next message: Mark Renoden [MSFT]: "Re: Need More GPO Settings"
- Previous message: Christopher Walker: "Re: Group Policy Windows Settings - Can it be done?"
- In reply to: Andrew: "Re: Loopback Processing"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 24 Sep 2004 08:45:48 +1000
Hi Andrew
To answer your questions:
1. No, Policy Loopback only has to be defined in one GPO that applies to the
computer. This sets a registry value which is then checked at user logon.
If however you have Policy Loopback defined in two places and the values
conflict, it will be the GPO with the higher precedence that wins.
2. I think your follow up post explains this :)
Kind regards
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Andrew" <lak18@hotmail.com> wrote in message news:478b01c4a16d$5baa2140$a501280a@phx.gbl... > Thank you Mark, > > That does clear up alot, could you answer a couple other > questions. > > 1. As long as loopback is set in one GPO, it doesn't have > to be set in any other GPO that falls with the hierarchy? > > 2. I have a GPO that has both Computer and User > Configuration setting. I apply it to an OU which only has > computer objects underneath it. The GPO has Loopback set > with replace mode. I set deny permissions on a specific > machine account, which resides in this OU, to the GPO. > When running a result, the machine does not get the > Computer configurations settings. How ever, the User > configuration settings from this GPO are still applied. > If the machine account is given deny permission, during > loopback, shouldn't it skip over the GPO completely? > why does it still apply the User Configuration settings. > Is this a feature or a flaw? > > >>-----Original Message----- >>Hi Andrew >> >>Group Policy Loopback works as follows: >> >>1. When the computer boots, the list of GPO's for the > computer is gathered >>based on it's location in the Active Directory. This is > it's SOM or Scope >>of Management. The list includes GPO's linked to OU's > at each level in the >>heirarchy from the OU in which the computer resides all > the way up to the >>domain. >> >>2. The computer configuration settings from this list > are applied to the >>computer provided it has permissions to the GPO's. >> >>3. When the user logs in, different behaviour occurs > according to the policy >>loopback settings: >> >>A. Loopback off - the SOM for the user is calculated and > then user >>configuration settings applied according to user > permissions. The location >>of the user account in the AD decides entirely which > user configuration >>settings are applied. >> >>B. Loopback merge mode - the SOM for the user is > calculated as in A. The >>user configuration settings from this SOM are applied > but at a lower >>precedence to the user configuration settings in the > computer SOM. Once >>again, user permissions allow or prevent application of > these setting >>regardless of whether they came from the user or > computer SOM. >> >>C. Loopback replace mode - the SOM for the user is not > considered. The user >>configuration settings are applied from the GPO's in the > computer SOM >>provided they have user permissions. >> >>+++++++++++ >> >>To answer your question, the Users need permissions to > read and apply the >>GPO's. >> >>HTH >>-- >>Mark Renoden [MSFT] >>Windows Platform Support Team >>Email: markreno@online.microsoft.com >> >>Please note you'll need to strip ".online" from my email > address to email >>me; I'll post a response back to the group. >> >>This posting is provided "AS IS" with no warranties, and > confers no rights. >> >> >> >>"Andrew" <lak18@hotmail.com> wrote in message >>news:48a501c4a0a5$7c1cb280$a301280a@phx.gbl... >>> Hello, >>> >>> You have been very helpful to me in the past, and I'm >>> wondering if anyone can give me some insite into > Loopback >>> processing replace mode. I'm familiar with what it is >>> intended to do, but have found some odd real life > results >>> using it. >>> Any useful reading material or real life experiences >>> would be greatly appreciated. >>> My experience has been this >>> >>> I have a group policy with both User and Computer >>> settings in it. I set it at the top level of my tree. > On >>> the scope tab I set the filtering to apply to a global >>> group. In the global group I have added only a few >>> computer accounts which I only want to target. >>> >>> Further down the tree I have mulitple Workstation OUs, >>> which contain all my computer objects. On each of these >>> OUs I have a GPO where Replace mode Loopback processing >>> is enable. When logging in, only the setting in the >>> Computer portion of the top level GPO are applied. The >>> User setting are not applied. When running a result, I >>> see that the User portion of this GPO was denied due to >>> security filtering. Shouldn't have the Replace >>> Loopbacking have fixed this? How can I get the user >>> setting to be applied, without adding user objects to > the >>> Global Group. >>> >>> I hope I made this clear enough to follow >>> >>> Thank You >> >> >>. >>
- Next message: Mark Renoden [MSFT]: "Re: Need More GPO Settings"
- Previous message: Christopher Walker: "Re: Group Policy Windows Settings - Can it be done?"
- In reply to: Andrew: "Re: Loopback Processing"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
